The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

2014 Verizon Data Breach Report Paints a Sobering Picture of the Information Security Landscape

The 2014 Verizon Data Breach Investigations Report (DBIR) was released on April 22, providing just the sort of deep empirical analysis of cybersecurity incidents we’ve come to expect from this annual report. The primary messages of this year’s DBIR are the targeting of web applications, continued weaknesses in payment systems, and nine categories of attack patterns that cover almost all recorded incidents. Further, despite the attention paid to last year’s enormous data breach at Target, this year’s data shows that attacks against point of sale (POS) systems are actually decreasing somewhat. Perhaps most importantly, the underlying thread that is found throughout this year’s DBIR is the need for increased education and application of digital hygiene.

Each year’s DBIR is compiled based on data from breaches and incidents investigated by Verizon, law enforcement organizations, and other private sector contributors. This year, Verizon condensed their analysis to nine attack patterns common to all observed breaches. Within each of these patterns, Verizon cites the software and vectors attackers are exploiting, as well as other important statistics such as time to discovery and remediation. The nine attack patterns listed in the DBIR are POS intrusions, web application attacks, insider misuse, physical theft/loss, miscellaneous errors, crimeware, card skimmers, denial-of-service (DoS) attacks, and cyber-espionage. Within industry verticals, most attacks can be characterized by only three of the nine categories.

Attacks on web applications attacks were by far the most common threat type observed last year, with 35% of all confirmed incidents linked to web application security problems. These numbers represents a significant increase over the three-year average of 21% of data breaches from web application attacks. The DBIR states that nearly two thirds of attackers targeting web applications are motivated by ideology, while financial incentives drive another third. Attacks for financial reasons are most likely to target organizations from the financial and retail industries. These attacks tend to focus on user interfaces like those at online banking or payment sites, either by exploiting some underlying weakness in the application itself or by using stolen user credentials. To mitigate the use of stolen credentials, the DBIR advised companies to consider implementing some form of two-factor authentication, a recommendation that is made to combat several attack types in this year’s report.

The 2014 DBIR contains a wide array of detailed advice for companies who wish to do a better job of mitigating these threats. The bulk of this advice can be condensed into the following categories:

  • Be vigilant: Organizations often only find out about security breaches when they get a call from the police or a customer. Log files and change management systems can give you early warning.
  • Make your people your first line of defense:  Teach staff about the importance of security, how to spot the signs of an attack, and what to do when they see something suspicious.
  • Keep data on a ‘need to know basis’: Limit access to the systems staff need to do their jobs. And make sure that you have processes in place to revoke access when people change role or leave.
  • Patch promptly: Attackers often gain access using the simplest attack methods, ones that you could guard against simply with a well-configured IT environment and up-to-date anti-virus.
  • Encrypt sensitive data: Then if data is lost or stolen, it’s much harder for a criminal to use.
  • Use two-factor authentication: This won’t reduce the risk of passwords being stolen, but it can limit the damage that can be done with lost or stolen credentials.
  • Don’t forget physical security. Not all data thefts happen online. Criminals will tamper with computers or payment terminals or steal boxes of printouts.

These recommendations are further broken down by industry in the DBIR, but they largely come down to a liberal application of “elbow grease” on the part of companies and organizations. Executing on cyber security plans requires diligence and a determination to keep abreast of continual changes to the threat landscape, and often requires a shift in culture within a company. But with the FTC taking a more aggressive interest in data breaches, not to mention the possibility of civil suits as a response to less-than-adequate data security measures, companies and organizations would do well to make cyber security a top priority from the C-Suite on down.


Leave a comment

The FTC “Pins” Cole Haan on Pinterest Campaign: Disclosure of Contest Driving Endorsement of Products Required

The rise of social media for contests and marketing campaigns has captured the attention of the Federal Trade Commission (FTC), particularly campaigns that provide for contest entry based on what amounts to social media endorsements.  “Like Company XYZ now to enter!”  The FTC is taking stock and beginning to weigh in on this relatively recent practice.  Just ask Cole Haan.  Late last month, the FTC sent the popular shoemaker a letter marking the end of its investigation into a marketing campaign that turned on “pinning” Cole Haan products for entry into a contest.  In it, the FTC concluded that Cole Haan needed to do more to disclose the connection between the contestants’ “pins” and the company’s contest.

It all started last year when Cole Haan launched its Wandering Sole marketing campaign.  Cole Haan encouraged consumers to create Pinterest boards that included five shoe images from Cole Haan’s own Pinterest board and another five images of the contestants’ favorite places to wander.  Whoever created the board that the company dubbed most creative would win a $1,000 shopping spree.  To identify the contestants, Cole Haan asked that the Pinterest users include the hashtag #WanderingSole in the description of their images.

According to the FTC, Cole Haan allegedly created a “deceptive” situation with its Pinterest campaign because consumers may not have realized that the authors of the pinned content were receiving incentives for their endorsements, even if that incentive was the mere chance to win a contest.  Notably, the FTC determined that Cole Haan’s request that contestants include the contest-specific hashtag was insufficient to overcome the potential for deception.

The foundation for the FTC’s letter lies in 16 C.F.R. Part 255, Guides Concerning the Use of Endorsements and Testimonials in Advertising.  In § 255.5, the FTC explains that companies must “fully disclose” any connection between the company and an endorser of its products when that connection “might materially affect the weight or credibility of the endorsement.”  As for social media uses, the Guides specifically acknowledge the difficulty of determining the link between an individual’s Internet activity and a manufacturer’s marketing activity.  The FTC specifically points out that the marketer “presumably would not have initiated the process that led to the endorsements being made in these new media had it not concluded that a financial benefit would accrue from doing so.”  The importance of the FTC’s Cole Haan letter is that it explicitly states that a pin on a Pinterest board constitutes an “endorsement” and a contest entry constitutes a “connection” between the company and the endorser under § 255.5.  The FTC deliberately publicized its closing letter as a means to put companies on notice of its interpretation of the endorsement guidelines in connection with Pinterest contests.  The message is not that social media contests need to stop, but rather that they must be plainly disclosed for what they are. What the FTC considers an adequate disclosure, however, remains to be seen.  #StayTuned.

Cheryl A. Falvey of Crowell & Moring, LLP contributed to this post.


Leave a comment

FTC v. Wyndham Update, Part 3

In earlier updates, we’ve provided background and tracked the progress (and the unique circumstances) of FTC v. Wyndham Worldwide Corp., et al. On April 7, a highly anticipated opinion was issued by New Jersey District Court Judge Esther Salas in a case that will likely have broad implications in the realms of privacy and data security. Through a motion to dismiss, Wyndham argued that the FTC had no authority to assert a claim in the data security context, that the FTC must first formally promulgate data security regulations before bringing such a claim, and that the FTC’s pleadings of consumer harm were insufficient to support their claims. The Wyndham court sided with the FTC on all of these arguments, and dismissed Wyndham’s motion to dismiss.

Continue reading